Currently Debian/Lenny contains all packages needed to run SE Linux. Development continues so there are periodic updates which sit in Unstable for a while before migrating to Lenny (testing).
I have set up my own APT repository for SE Linux packages. This has packages that need newer versions than in Lenny but which will be in Lenny eventually (which includes the latest policy packages) as well as my own modified packages to fix bugs that won’t be fixed in Lenny. After Lenny is released I will maintain the repository for i386 and AMD64 for bug fixes and new features above what is in Lenny.
gpg --keyserver hkp://subkeys.pgp.net --recv-key F5C75256
gpg -a --export F5C75256 | apt-key add –
To enable the use of my repository you must first run the above two commands to retrieve and install my GPG key (take appropriate measures to verify that you have the correct key).
deb http://www.coker.com.au lenny selinux
Then add the above line to /etc/apt/sources.list and run “apt-get update” to download the list of packages.
Next run the command “apt-get install selinux-policy-default selinux-basics” to install all the necessary packages. After that is done you need the file /.autorelabel to exist for the next boot to cause the filesystems to be labeled. The file /boot/grub/menu.lst needs to have “selinux=1” on the end of the line which starts with “# kopt=” (and the kernel command-lines for each kernel). You can do this manually but the recommended thing to do is to run the command selinux-activate, if given no parameters it will apply all the necessary tweaks to enable SE Linux (it changes PAM configuration files, GRUB configuration, and creates /.autorelabel.
Note that if you use gdm then the file /etc/pam.d/gdm needs to have the pam_selinux.so line moved to before the GNOME key lines. I need to update the selinux-basics package for this.
Then reboot and the filesystems will be relabeled. The relabel process will cause a second automatic reboot of the machine (it needs to be rebooted so that init gets the correct context). After that is finished the machine will be running in “permissive mode“, this means that SE Linux will log the actions that it would deny, but they will still be performed.
To put the machine in “enforcing mode” you can run the command “setenforce 1“, this means that SE Linux actually controls access to the machine. When you are confident that the machine is working correctly you can edit the file /etc/selinux/config and change the SELINUX= line to specify that it is in “enforcing” mode. The script selinux-config-enforcing will do this for you (with no parameters if configures SE Linux to be in enforcing mode at the next boot). If you need to override this (for example if critical files get the wrong labels and prevent booting) then the kernel command-line option enforcing=0 will override it. I will add a new command selinux-config-enforcing to the selinux-basics package to manage this (it will hopefully be there for Lenny).
If you use Postfix then you need to run it without chroot, the command postfix-nochroot will configure Postfix to not use chroot and will restart it. This script is included in the selinux-basics package but will hopefully be in Postfix for Lenny+1 (I think that many people who don’t use SE Linux will be able to use it).
In summary here are the commands you need:
apt-get install selinux-policy-default selinux-basics
selinux-activate
reboot
postfix-nochroot (optional)
selinux-config-enforcing
Running apt-get(or aptitude) update gives a warning: “Conflicting distribution: http://www.coker.com.au lenny Release (expected lenny but got )”. However, it seems to download what it should. I have selinux up and running. Do you know what causes this warning?
kamil: That’s a cosmetic error. I haven’t yet worked out how to solve it.
Don’t forget to uncomment the relevant line in /etc/pam.d/login. Without this you’ll be logged in as local_login_t which is bad. Probably good to take a look at the Debian SELinux setup page on the Debian wiki page: http://wiki.debian.org/SELinux/Setup
Some of the info there does seem to be out of date however.
Philip: I’ve updated this document to describe the correct way of doing this. selinux-basics has commands to do these things, and they were written before your comment (my documentation lagged behind the code – my fault).
Your comment was correct, and will still work for anyone who chooses not to use the scripts.
Hello.
I am using dm-crypted / and /home partitions on my workstation (pure Debian/Lenny, perhaps with some added software like MPlayer from debian-multimedia.org). I would like to start using SELinux on this workstation. I must stress that I use home-brewed initrd to initialize encryption of the partitions (very special one). After pivot_root and executing the system /sbin/init the system boot process continues in common way. Shall I expect some terse complications enabling SELinux in such configuration?
Thank you for your response.
Sincerely,
—
mjf
mjf: I run several systems in ways that are similar without problem.
Anything that happens before init is not affected by SE Linux – but such things should not leave user-space processes running.
Have u solved this error or warning more.
W: Conflicting distribution: http://www.coker.com.au lenny Release (expected lenny but got )
W: You may want to run apt-get update to correct these problems
Thanks,
Cristian F
Hi!
I have another problem since I have installed SELinux and configuring it to run enforced.
I have 2 NTFS hdd which I mount them automatic with FSTAB. Before I installed SELinux they were mounted properly and all was OK. But after installation, when I boot the system come an error that says that ntfs-3g couldn’t be mounted (ntfs-3g mount failed) and suggest to run “modprobe fuse”.
Any idea and suggestions how can I solve this problem?
Thanks,
Cristian F
Hi
I’m running Debian Lenny with the default SELinux packages installed. Is it normal that I’m getting numerous denials (which I’m gradually fixing using audit2allow, generating my own local.te) in regard to logrotate? This is what I have in my local.te right now:
#============= logrotate_t ==============
allow logrotate_t crond_t:process ptrace;
allow logrotate_t inetd_t:process ptrace;
allow logrotate_t init_t:process ptrace;
allow logrotate_t initrc_t:process ptrace;
allow logrotate_t kernel_t:process ptrace;
allow logrotate_t ntpd_t:process ptrace;
allow logrotate_t postfix_master_t:process ptrace;
allow logrotate_t postfix_qmgr_t:process ptrace;
allow logrotate_t restorecond_t:process ptrace;
allow logrotate_t self:capability sys_ptrace;
allow logrotate_t sshd_t:process ptrace;
allow logrotate_t syslogd_t:process ptrace;
allow logrotate_t udev_t:process ptrace;
allow logrotate_t unconfined_home_dir_t:dir search;